PATENT 



In the Claims: 
1-54, (Cancelled) 

55, (Currently Amended) A method comprising: 
populating an access control list with a destination user group identifier, wherein 
said populating is performed by a network device and comprises 
sending a request to another network device, and 
receiving a response from said another network device, wherein 
said response includ es comprises said destination user group identifier, wherein 
said access control list is a role-based access control list, 
said destination user group identifier identifies a destination user group of a 
destination, 

said access control list comprises a source user group field configured to store a 
source user group identifier and a destination user group field configured 
to store a destination user group identifier, 
said source user group comprises a plurality of source network devices, 
said source user group is assigned to said source based on a role of said source, 
said destination user group comprises a plurality of destination network devices, 
said destination user group is assigned to said destination based on a role of said 
destination, and 

said access control list is configured to allow said source user group identifier and 
said destination user group identifier to be compared. 
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56. Cancelled 

57. Cancelled 

58. (Original) The method of claim 55, further comprising: 
comparing a user group of a packet with said destination user group. 

59. (Original) The method of claim 58, wherein 
said user group of said packet is a source user group^ 

said destination user group is a user group of a destination of said packet, and 
said destination is said destination of said packet. 

60. (Original) The method of claim 59, wherein 

said source user group is assigned to a source of said packet based on a role of said 
source, and 

said destination user group is assigned to said destination based on a role of said 
destination. 

6 1 . (Original) The method of claim 59, wherein 

said source user group is indicated by a source user group identifier stored in said packet, 
and 

said destination user group is indicated by a destination user group stored in a network 
device receiving said packet. 

62. (Original) The method of claim 59, further comprising: 
determining said source user group; and 

determining said destination user group by looking up said destination user group in an 
access control list. 

63. (Cancelled) 
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64. (Original) The method of claim 62, wherein said determining said source user 
group comprises: 

extracting a source user group identifier from said packet, wherein 

said source user group identifier identifies said source user group. 

65 . (Currently Amended) A computer program product comprising: 

a first set of instructions, executable on a computer system, configured to populate an 
access control list with a destination user group identifier, wherein 
said to populate is performed first set of instructions are executed by a 
network device and comprises comprise 

s ending a first subset of instructions^ executable on said computer 
system^ configured to send a request to another network device, 
and 

receiving a second subset of instructions, executable on said computer 
system, configured to receive a response from said another 
network device, wherein 
said response includes comprises said destination user group identifier, wh e rein 
said access control list is a role-based access control list, 
said destination user group identifier identifies a destination user group of a 
destination, 

said access control list comprises a source user group field configured to store a 
source user group identifier and a destination user group field configured 
to store a destination user group identifier, 
said source user group comprises a plurality of source network devices, 
said source user group is assigned to said source based on a role of said source, 
said destination user group comprises a plurality of destination network devices, 
said destination user group is assigned to said destination based on a role of said 
destination, and 

said access control list is configured to allow said source user group identifier and 
said destination user group identifier to be compared; and 
computer readable storage media, wherein said computer program product is encoded in 
said computer readable storage media. 
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66. (Original) The computer program product of claim 65, further comprising: 

a second set of instructions, executable on said computer system, configured to compare 
a user group of a packet with said destination user group. 

67. (Original) The computer program product of claim 66, wherein 
said user group of said packet is a source user group, 

said destination user group is a user group of a destination of said packet, and 
said destination is said destination of said packet. 

68. (Original) The computer program product of claim 67, further comprising: 

a third set of instractions, executable on said computer system, configured to determine 

said source user group; and 
a fourth set of instructions, executable on said computer system, configured to determine 

said destination user group by looking up said destination user group in an access 

control list. 

69. (Original) The computer program product of claim 68, wherein said third set of 
instructions comprises: 

a first subset of instructions, executable on said computer system, configured to 
extracting a source user group identifier from said packet, wherein 
said source user group identifier identifies said source user group. 

70. (Currently Amended) An apparatus comprising: 

means for populating an access control list with a destination user group identifier, 
wherein 

said means for populating is performed by comprised in a network device 
Hand]], 

said means for populating comprises 

means for sending a request to another network device, and 
means for receiving a response fix>m said another network device, 
wherein 

said response includes comprises said destination user group identifier, wh e r e in 
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said access control list is a role-based access control list, 
said destination user group identifier identifies a destination user group of a 
destination, 

said access control list comprises a source user group field configured to store a 
source user group identifier and a destination user group field configured 
to store a destination user group identifier, 
said source user group comprises a plurality of source network devices, 
said source user group is assigned to said source based on a role of said source, 
said destination user group comprises a plurality of destination network devices, 
said destination user group is assigned to said destination based on a role of said 
destination, and 

said access control list is configured to allow said source user group identifier and 
said destination user group identifier to be compared* 

71. (Original) The apparatus of claim 70, further comprising: 

means for comparing a user group of a packet with said destination user group. 

12. (Original) The apparatus of claim 7 1 , wherein 

said user group of said packet is a source user group, 

said destination user group is a user group of a destination of said packet, and 

said destination is said destination of said packet. 

73. (Original) The apparatus of claim 72, further comprising: 
means for determining said source user group; and 

means for determining said destination user group by looking up said destination user 
group in an access control list. 

74. (Original) The apparatus of claim 73, wherein said means for determining said 
source user group comprises: 

means for extracting a source user group identifier fcom said packet, wherein 
said source user group identifier identifies said source user group. 
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75-117. (CanceUed) 
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